A Russa-nexus adversary has been linked to 94 new domains, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities.
Cybersecurity firm Recorded Future linked the new infrastructure to a threat actor it tracks under the name BlueCharlie, a hacking crew that’s broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53).
“These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers,” the company said in a new technical report shared with The Hacker News.
BlueCharlie is assessed to be affiliated with Russia’s Federal Security Service (FSB), with the threat actor linked to phishing campaigns aimed at credential theft by making use of domains that masquerade as the login pages of private sector companies, nuclear research labs, and NGOs involved in Ukraine crisis relief. It’s said to be active since at least 2017.
“Calisto collection activities probably contribute to Russian efforts to disrupt Kiev supply-chain for military reinforcements,” Sekoia noted earlier this year. “Moreover, Russian intelligence collection about identified war crime-related evidence is likely conducted to anticipate and build counter narrative on future accusations.”
Another report published by NISOS in January 2023 identified potential connections between the group’s attack infrastructure to a Russian company that contracts with governmental entities in the country.
“BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft,” Recorded Future said, adding the actor conducts extensive reconnaissance to increase the likelihood of success of its attacks.
The latest findings reveal that BlueCharlie has moved to a new naming pattern for its domains featuring keywords related to information technology and cryptocurrency, such as cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, and pdfsecxcloudroute[.]com.
Seventy-eight of the 94 new domains are said to have been registered using NameCheap. Some of the other domain registrars used include Porkbun and Regway.
To mitigate threats posed by state-sponsored advanced persistent threat (APT) groups, it’s recommended that organizations implement phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a frequent password reset policy.
“While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable,” the company said.